再放一份驱动域名劫持的代码
年后求个职:qq->*******[DeDf]
就是访问A.com转到b.com,当然如果改成访问A就丢包,那就变成拦截指定网站了。
过程比较曲折:
首先用抓包工具发现,访问某网站时,(如果本地没有该网站的DNS缓存)首先会发DNS查询包(UDP),然后会与该网站建立连接,然后,发http请求包。
观察包内容,需要把发出的包的目标改成我们的目标,然后把响应的包中我们改过的东西改回来,就是欺上瞒下。代码不多,重点是演示了如何获取TCP与UDP的接收到包的内容。仅适用于XP:
bin会将
ca6K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3u0S2K9h3c8#2i4K6u0W2j5$3!0E0i4@1f1#2i4K6S2m8i4@1q4n7i4@1f1$3i4K6S2o6i4K6R3I4i4@1f1#2i4K6R3^5i4@1t1H3K9i4l9I4x3K6S2Q4x3X3g2U0L8$3#2Q4x3X3g2Q4c8e0g2Q4b7e0k6Q4z5o6u0Q4c8e0k6Q4z5f1g2Q4z5f1y4Q4c8e0g2Q4z5p5q4Q4b7e0m8Q4c8e0S2Q4b7V1c8Q4b7V1c8Q4c8e0S2Q4b7f1k6Q4b7e0g2Q4c8e0W2Q4b7e0W2Q4b7U0q4Q4c8e0g2Q4z5p5q4Q4b7e0S2Q4c8e0g2Q4z5o6W2Q4z5p5c8Q4c8e0S2Q4b7f1g2Q4b7V1k6Q4c8e0W2Q4z5e0N6Q4b7f1g2Q4c8e0S2Q4b7V1k6Q4z5o6N6T1j5h3W2V1N6g2!0q4c8W2!0n7b7#2)9^5b7#2!0q4z5q4!0m8c8W2!0n7y4#2!0q4y4g2)9&6b7#2!0m8z5r3y4E0k6q4!0q4z5g2)9^5y4#2)9^5b7#2!0q4y4W2)9^5z5g2!0m8y4#2!0q4z5q4!0m8x3g2)9^5b7$3W2H3j5$3!0F1k6X3W2Y4 /flushdns.
#include <ntddk.h>
#include <tdikrnl.h>
typedef NTSTATUS (__stdcall *MJ) (IN PDEVICE_OBJECT DeviceObject, IN PIRP irp);
MJ mj_addr = NULL; // IRP_MJ_INTERNAL_DEVICE_CONTROL
PDEVICE_OBJECT g_udp_DevObj = NULL;
PTDI_IND_RECEIVE_DATAGRAM original_udp_EventHandler = NULL;
PTDI_IND_RECEIVE original_tcp_EventHandler = NULL;
NTSTATUS mj_handle(IN PDEVICE_OBJECT DeviceObject, IN PIRP irp);
NTSTATUS tdi_event_receive_datagram(
IN PVOID TdiEventContext,
IN LONG SourceAddressLength,
IN PVOID SourceAddress,
IN LONG OptionsLength,
IN PVOID Options,
IN ULONG ReceiveDatagramFlags,
IN ULONG BytesIndicated,
IN ULONG BytesAvailable,
OUT ULONG *BytesTaken,
IN PVOID Tsdu,
OUT PIRP *IoRequestPacket);
NTSTATUS tdi_event_receive(
__in_opt PVOID TdiEventContext,
__in_opt CONNECTION_CONTEXT ConnectionContext,
__in ULONG ReceiveFlags,
__in ULONG BytesIndicated,
__in ULONG BytesAvailable,
__out ULONG *BytesTaken,
__in PVOID Tsdu, // pointer describing this TSDU, typically a lump of bytes
__out_opt PIRP *IoRequestPacket // TdiReceive IRP if MORE_PROCESSING_REQUIRED.
);
NTSTATUS get_device_object(WCHAR *name, PDEVICE_OBJECT *devobj);
NTSTATUS DriverEntry(PDRIVER_OBJECT DriverObject, PUNICODE_STRING pRegistryString)
{
NTSTATUS status;
status = get_device_object(L"\\Device\\Udp", &g_udp_DevObj);
if (status)
{
KdPrint(("[tdi_fw] DriverEntry: get_device_object(udp): 0x%x\n", status));
return status;
}
mj_addr = g_udp_DevObj->DriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL];
InterlockedExchange(
(ULONG*)&(g_udp_DevObj->DriverObject->MajorFunction[IRP_MJ_INTERNAL_DEVICE_CONTROL]),
(ULONG)mj_handle);
return status;
}
NTSTATUS mj_handle(IN PDEVICE_OBJECT DeviceObject, IN PIRP irp)
{
PIO_STACK_LOCATION pIrpSp = irp->Tail.Overlay.CurrentStackLocation;
PVOID pData;
switch (pIrpSp->MinorFunction)
{
case TDI_SEND:
KdPrint(("=TDI_SEND!\n"));
pData = MmGetSystemAddressForMdlSafe((irp->MdlAddress),NormalPagePriority);
//_asm int 3
if ( !memcmp(pData, "GET / HTTP", 10) )
{
ULONG i;
for (i = 11; ; i++)
{
if ( *((char*)pData + i) == '\r' && *((char*)pData + i + 1) == '\n' )
{
if ( *((char*)pData + i + 2) == '\r' && *((char*)pData + i + 3) == '\n' )
break;
if ( !memcmp((char*)pData + i + 2, "Host:
026K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3u0S2K9h3c8#2i4K6u0W2j5$3!0E0 ", 19) )
memcpy( (char*)pData + i + 2, "Host:
7abK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3W2H3x3e0x3^5i4K6u0W2j5$3!0E0 ", 19 );
}
}
}
break;
case TDI_RECEIVE:
KdPrint(("=TDI_RECEIVE!\n"));
//_asm int 3
break;
case TDI_SEND_DATAGRAM:
{
// PTDI_REQUEST_KERNEL_SENDDG param = (TDI_REQUEST_KERNEL_SENDDG*)(&pIrpSp->Parameters);
// TA_ADDRESS *remote_addr = ((TRANSPORT_ADDRESS *)(param->SendDatagramInformation->RemoteAddress))->Address;
// sockaddr_in *remote_saddr = (sockaddr_in*)(&remote_addr->AddressType);
KdPrint(("=TDI_SEND_DATAGRAM!\n"));
pData = MmGetSystemAddressForMdlSafe((irp->MdlAddress),NormalPagePriority);
if ( *((PUSHORT)pData + 1) == 0x0001 )
{
KdPrint(("==DNS query!\n"));
//_asm int 3
if ( !memcmp((char*)pData + 17, "baidu", 5) )
memcpy( (char*)pData + 17, "ip138", 5 );
}
}
break;
case TDI_RECEIVE_DATAGRAM:
KdPrint(("=TDI_RECEIVE_DATAGRAM!\n"));
break;
case TDI_SET_EVENT_HANDLER:
{
PTDI_REQUEST_KERNEL_SET_EVENT param = (TDI_REQUEST_KERNEL_SET_EVENT*)&(pIrpSp->Parameters);
switch(param->EventType)
{
case TDI_EVENT_RECEIVE:
KdPrint(("!!!==TDI_EVENT_RECEIVE!!!\n"));
if (param->EventHandler)
{
original_tcp_EventHandler = param->EventHandler;
InterlockedExchange((PULONG)¶m->EventHandler, (ULONG)tdi_event_receive);
}
break;
case TDI_EVENT_CHAINED_RECEIVE:
KdPrint(("!!!==TDI_EVENT_CHAINED_RECEIVE!!!\n"));
break;
case TDI_EVENT_RECEIVE_DATAGRAM:
KdPrint(("!!!==TDI_EVENT_RECEIVE_DATAGRAM!!!\n"));
if (param->EventHandler)
{
original_udp_EventHandler = param->EventHandler;
InterlockedExchange((PULONG)¶m->EventHandler, (ULONG)tdi_event_receive_datagram);
}
break;
case TDI_EVENT_CHAINED_RECEIVE_DATAGRAM:
KdPrint(("!!!==TDI_EVENT_CHAINED_RECEIVE_DATAGRAM!!!\n"));
break;
}
}
break;
}
return mj_addr(DeviceObject, irp);
}
NTSTATUS get_device_object(WCHAR *name, PDEVICE_OBJECT *devobj)
{
NTSTATUS status;
UNICODE_STRING str;
PFILE_OBJECT fileobj;
RtlInitUnicodeString(&str, name);
status = IoGetDeviceObjectPointer(&str, FILE_ALL_ACCESS, &fileobj, devobj);
if (status == STATUS_SUCCESS)
ObDereferenceObject(fileobj);
return status;
}
NTSTATUS tdi_event_receive_datagram(
IN PVOID TdiEventContext,
IN LONG SourceAddressLength,
IN PVOID SourceAddress,
IN LONG OptionsLength,
IN PVOID Options,
IN ULONG ReceiveDatagramFlags,
IN ULONG BytesIndicated,
IN ULONG BytesAvailable,
OUT ULONG *BytesTaken,
IN PVOID Tsdu,
OUT PIRP *IoRequestPacket)
{
KdPrint(("tdi_event_receive_datagram()\n"));
if ( *((PUSHORT)Tsdu + 1) == 0x8081 )
{
KdPrint(("===DNS reply!\n"));
if ( !memcmp((char*)Tsdu + 17, "ip138", 5) )
memcpy( (char*)Tsdu + 17, "baidu", 5 );
}
return original_udp_EventHandler(
TdiEventContext,
SourceAddressLength,
SourceAddress,
OptionsLength,
Options,
ReceiveDatagramFlags,
BytesIndicated,
BytesAvailable,
BytesTaken,
Tsdu,
IoRequestPacket);
}
NTSTATUS tdi_event_receive(
__in_opt PVOID TdiEventContext,
__in_opt CONNECTION_CONTEXT ConnectionContext,
__in ULONG ReceiveFlags,
__in ULONG BytesIndicated,
__in ULONG BytesAvailable,
__out ULONG *BytesTaken,
__in PVOID Tsdu, // pointer describing this TSDU, typically a lump of bytes
__out_opt PIRP *IoRequestPacket // TdiReceive IRP if MORE_PROCESSING_REQUIRED.
)
{
KdPrint(("tdi_event_receive()\n"));
return original_tcp_EventHandler(
TdiEventContext,
ConnectionContext,
ReceiveFlags,
BytesIndicated,
BytesAvailable,
BytesTaken,
Tsdu, // pointer describing this TSDU, typically a lump of bytes
IoRequestPacket // TdiReceive IRP if MORE_PROCESSING_REQUIRED.
);
}
这是附件:
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
上传的附件:
